Public bug reported: When a port is created on a network with port security disabled, by default it should have port-security disabled too. But if using --no-security-group in the creation, than the port is created without security groups, but with port-security enabled.
openstack network show no-ps
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | defaultv3 |
| created_at | 2019-02-11T07:58:34Z |
| description | |
| dns_domain | |
| id | 58404ae1-650d-40c0-9ba9-9558f34fe81a |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| location | None |
| mtu | None |
| name | no-ps |
| port_security_enabled | False |
| project_id | 8d4f3035db954f32b320475c1213657c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 3 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | 605cabbe-4064-4e66-8d3d-a5320abdfe2d |
| tags | |
| updated_at | 2019-02-11T07:58:39Z |
+---------------------------+--------------------------------------+
openstack port create --network no-ps --no-security-group no-sg
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| admin_state_up | UP
|
| allowed_address_pairs |
|
| binding_host_id | None
|
| binding_profile |
|
| binding_vif_details |
nsx-logical-switch-id='ca492f0f-34c3-4b9a-947c-1c53d651140f',
ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs
|
| binding_vnic_type | normal
|
| created_at | 2019-02-11T08:55:50Z
|
| data_plane_status | None
|
| description |
|
| device_id |
|
| device_owner |
|
| dns_assignment | fqdn='host-66-0-0-16.openstacklocal.',
hostname='host-66-0-0-16', ip_address='66.0.0.16' |
| dns_domain | None
|
| dns_name |
|
| extra_dhcp_opts |
|
| fixed_ips | ip_address='66.0.0.16',
subnet_id='605cabbe-4064-4e66-8d3d-a5320abdfe2d'
|
| id | 006a0952-469a-4de2-ac08-855155320582
|
| location | None
|
| mac_address | fa:16:3e:be:fa:c2
|
| name | no-sg
|
| network_id | 58404ae1-650d-40c0-9ba9-9558f34fe81a
|
| port_security_enabled | True
|
| project_id | 8d4f3035db954f32b320475c1213657c
|
| propagate_uplink_status | None
|
| qos_policy_id | None
|
| resource_request | None
|
| revision_number | 3
|
| security_group_ids |
|
| status | ACTIVE
|
| tags |
|
| trunk_details | None
|
| updated_at | 2019-02-11T08:55:50Z
|
+-------------------------+-----------------------------------------------------------------------------------------------------------+
The problem is in _determine_port_security_and_has_ip when the code is checking
validators.is_attr_set(port.get('security_groups')) instead of checking if it
is not empty
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1815424
Title:
Port gets port security disabled if using --no-security-groups
Status in neutron:
New
Bug description:
When a port is created on a network with port security disabled, by default
it should have port-security disabled too.
But if using --no-security-group in the creation, than the port is created
without security groups, but with port-security enabled.
openstack network show no-ps
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | defaultv3 |
| created_at | 2019-02-11T07:58:34Z |
| description | |
| dns_domain | |
| id | 58404ae1-650d-40c0-9ba9-9558f34fe81a |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| location | None |
| mtu | None |
| name | no-ps |
| port_security_enabled | False |
| project_id | 8d4f3035db954f32b320475c1213657c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 3 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | 605cabbe-4064-4e66-8d3d-a5320abdfe2d |
| tags | |
| updated_at | 2019-02-11T07:58:39Z |
+---------------------------+--------------------------------------+
openstack port create --network no-ps --no-security-group no-sg
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------+-----------------------------------------------------------------------------------------------------------+
| admin_state_up | UP
|
| allowed_address_pairs |
|
| binding_host_id | None
|
| binding_profile |
|
| binding_vif_details |
nsx-logical-switch-id='ca492f0f-34c3-4b9a-947c-1c53d651140f',
ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs
|
| binding_vnic_type | normal
|
| created_at | 2019-02-11T08:55:50Z
|
| data_plane_status | None
|
| description |
|
| device_id |
|
| device_owner |
|
| dns_assignment | fqdn='host-66-0-0-16.openstacklocal.',
hostname='host-66-0-0-16', ip_address='66.0.0.16' |
| dns_domain | None
|
| dns_name |
|
| extra_dhcp_opts |
|
| fixed_ips | ip_address='66.0.0.16',
subnet_id='605cabbe-4064-4e66-8d3d-a5320abdfe2d'
|
| id | 006a0952-469a-4de2-ac08-855155320582
|
| location | None
|
| mac_address | fa:16:3e:be:fa:c2
|
| name | no-sg
|
| network_id | 58404ae1-650d-40c0-9ba9-9558f34fe81a
|
| port_security_enabled | True
|
| project_id | 8d4f3035db954f32b320475c1213657c
|
| propagate_uplink_status | None
|
| qos_policy_id | None
|
| resource_request | None
|
| revision_number | 3
|
| security_group_ids |
|
| status | ACTIVE
|
| tags |
|
| trunk_details | None
|
| updated_at | 2019-02-11T08:55:50Z
|
+-------------------------+-----------------------------------------------------------------------------------------------------------+
The problem is in _determine_port_security_and_has_ip when the code is
checking validators.is_attr_set(port.get('security_groups')) instead of
checking if it is not empty
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1815424/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
